Enable modsecurity in nginx-ingress deployments65192-enable-modsecurity-in-ingress-ce

Update the default ingress chart to enable modsecurity along with the
default Core Rule Set.

This functionality uses the default settings of
"detection-only" mode to log requests to the audit log but blocks no
traffic by default

Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/65192

3 files changed, 44 insertions, 0 deletions

diff --git a/app/models/clusters/applications/ingress.rb b/app/models/clusters/applications/ingress.rb
index 50def3ba38c..8654393dc95 100644
--- a/app/models/clusters/applications/ingress.rb
+++ b/app/models/clusters/applications/ingress.rb
@@ -35,6 +35,10 @@ module Clusters
         'stable/nginx-ingress'
       end
 
+      def values
+        content_values.to_yaml
+      end
+
       def allowed_to_uninstall?
         external_ip_or_hostname? && application_jupyter_nil_or_installable?
       end
@@ -67,6 +71,20 @@ module Clusters
 
       private
 
+      def specification
+        return {} unless Feature.enabled?(:ingrees_modsecurity, cluster.project)
+
+        {
+          "controller" => {
+            "config" => { "enable-modsecurity" => "true", "enable-owasp-modsecurity-crs" => "true" }
+          }
+        }
+      end
+
+      def content_values
+        YAML.load_file(chart_values_file).deep_merge!(specification)
+      end
+
       def application_jupyter_nil_or_installable?
         cluster.application_jupyter.nil? || cluster.application_jupyter&.installable?
       end
diff --git a/changelogs/unreleased/65192-enable-modsecurity-in-ingress-ce.yml b/changelogs/unreleased/65192-enable-modsecurity-in-ingress-ce.yml
new file mode 100644
index 00000000000..8a2e9fae1c1
--- /dev/null
+++ b/changelogs/unreleased/65192-enable-modsecurity-in-ingress-ce.yml
@@ -0,0 +1,5 @@
+---
+title: Enable modsecurity in nginx-ingress apps
+merge_request: 32905
+author:
+type: added
diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md
index e43b1ca6826..518094d2cc9 100644
--- a/doc/user/clusters/applications.md
+++ b/doc/user/clusters/applications.md
@@ -117,6 +117,27 @@ balancing, SSL termination, and name-based virtual hosting. It acts as a
 web proxy for your applications and is useful if you want to use [Auto
 DevOps](../../topics/autodevops/index.md) or deploy your own web apps.
 
+#### Modsecurity Application Firewall
+
+By default we enable
+[`modsecurity`](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#modsecurity)
+to check requests against [OWASP's Core Rule Set](https://www.modsecurity.org/CRS/Documentation/).
+This feature runs in "Detection-only mode" unless configured and is viewable by
+checking your ingress controller's modsec log for rule violations.
+This can be done by tailing the audit log on your ingress-controller pod:
+
+```
+kubectl -n gitlab-managed-apps exec -it ingress-nginx-ingress-controller-8675309-bz5n4 -- tail -f /var/log/modsec_audit.log
+```
+
+There is a small performance overhead by enabling modsecurity, however,
+if this is considered significant for your application you can disable this
+using a feature flag by running the following command within the rails console:
+
+```ruby
+Feature.disable(:ingress_modsecurity)
+```
+
 NOTE: **Note:**
 The
 [stable/nginx-ingress](https://github.com/helm/charts/tree/master/stable/nginx-ingress)